Products & Services

Compare Models

With Cisco ASA firewalls, you can integrate multiple enterprise-class, next-generation network security services without sacrificing performance. Cisco ASA combines the most deployed stateful inspection firewall in the industry with next-generation firewall capabilities.

Read more about the ASA 5500 and ASA 5500-X Series for small and branch offices.

Cisco ASA Model ASA 5505 / Security Plus ASA 5510 / Security Plus ASA 5512-X / Security Plus ASA 5515-X
Stateful Inspection throughput (max1) Up to 150 Mbps Up to 300 Mbps 1 Gbps 1.2 Gbps
Stateful Inspection throughput (multiprotocol2) - - 500 Mbps 600 Mbps
Next-Generation throughput3 (multiprotocol) - - 200 Mbps 350 Mbps
IPS throughput4 Up to 75 Mbps with AIP SSC-5 Up to 150 Mbps with AIP SSM-10; 300 Mbps with AIP SSM-20 250 Mbps
(Extra hardware module not required)
400 Mbps
(Extra hardware module not required)
Concurrent sessions 10,000 /25,000 50,000 /130,000 100,000 250,000
Connections per second 4,000 9,000 10,000 15,000
Packets per second (64 byte) 85,000 190,000 450,000 500,000
3DES/AES VPN throughput5 100 Mbps 170 Mbps 200 Mbps 250 Mbps
Site-to-site and IPsec IKEv1 client VPN user sessions 25 250 250 250
AnyConnect or clientless VPN user sessions 25 250 250 250
Cisco Cloud Web Security users 25 75 100 250
VLANs 3 (trunking disabled) / 20 (trunking enabled) 50 / 100 50 / 100 100
High-availability support6 Not available Not available; A/A and A/S Not available; A/A and A/S A/A and A/S
Integrated I/O 8-port FE with 2 Power over Ethernet (PoE) ports 5-port FE / 2-port 10/100/1000, 3-port FE 6-port 10/100/1000 6-port 10/100/1000
Expansion I/O Not available 4-port 10/100/1000 or 4-port GE (SFP) 6-port 10/100/1000 or 6-port GE (SFP) 6-port 10/100/1000 or 6-port GE (SFP)
Dual power supplies Not available Not available Not available Not available
Power AC/DC AC/DC AC/DC AC/DC

1 Maximum throughput with UDP traffic measured under ideal test conditions
2 Multiprotocol = Traffic profile consisting primarily of TCP-based protocols/applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS
3Throughput was measured using ASA CX Software Release 9.1.1 with multi-protocol traffic profile with both Application Visibility Control (AVC) and Web Security Essentials (WSE). Traffic logging was enabled as well.
4 Firewall traffic that does not go through IPS service can have higher throughput.
5 VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken into consideration as part of your capacity planning.
6 A/A = Active/Active; A/S = Active/Standby


Cisco ASA next-generation firewalls are available in a wide range of sizes and performance levels to fit your network and budget. They also combine stateful inspection and next-generation firewall capabilities with a comprehensive suite of next-generation network security services. There's a solution to meet your evolving security needs — for security without compromise.

Read more about the ASA 5500 and ASA 5500-X Series for the Internet Edge.

Cisco ASA Model ASA 5520 ASA 5525-X ASA 5540 ASA 5545-X ASA 5550 ASA 5555-X
Stateful Inspection throughput (max1) 450 Mbps 2 Gbps 650 Mbps 3 Gbps 1.2 Gbps 4 Gbps
Stateful Inspection throughput (multiprotocol2) - 1 Gbps - 1.5 Gbps - 2 Gbps
Next-Generation throughput3 (multiprotocol) - 650 Mbps - 1 Gbps - 1.4 Gbps
IPS throughput4 Up to 225 Mbps with AIP SSM-10; 375 Mbps with AIP SSM-20; 450 Mbps with AIP SSM-40 600 Mbps
(Extra hardware module not required)
Up to 500 Mbps with AIP SSM-20; 650 Mbps with AIP SSM-40 900 Mbps
(Extra hardware module not required)
Not Available 1.3 Gbps
(Extra hardware module not required)
Concurrent sessions 280,000 500,000 400,000 750,000 650,000 1,000,000
Connections per second 12,000 20,000 25,000 30,000 33,000 50,000
Packets per second (64 byte) 320,000 700,000 500,000 900,000 600,000 1,100,000
3DES/AES VPN throughput5 225 Mbps 300 Mbps 325 Mbps 400 Mbps 425 Mbps 700 Mbps
Site-to-site and IPsec IKEv1 client VPN user sessions 750 750 5,000 2,500 5,000 5,000
AnyConnect or clientless VPN user sessions 750 750 2,500 2,500 5,000 5,000
Cisco Cloud Web Security users 300 500 1,000 1,500 2,000 3,000
VLANs 150 200 200 300 400 500
High-availability support6 A/A and A/S A/A and A/S A/A and A/S A/A and A/S A/A and A/S A/A and A/S
Integrated I/O 4-port 10/100/1000 and 1-port FE 8-port 10/100/1000 4-port 10/100/1000 + 1-port FE 8-port 10/100/1000 8-port 10/100/1000 + 1-port FE 8-port 10/100/1000
Expansion I/O 4-port 10/100/1000 or 4-port GE (SFP) 6-port 10/100/1000 or 6-port GE (SFP) 4-port 10/100/1000 or 4-port GE (SFP) 6-port 10/100/1000 or 6-port GE (SFP) None 6-port 10/100/1000 or 6-port GE (SFP)
Dual Power Supplies Not available Not available Not available Not available Not available Yes
Power AC/DC AC/DC AC/DC AC/DC AC/DC AC/DC

1 Maximum throughput with UDP traffic measured under ideal test conditions
2 Multiprotocol = Traffic profile consisting primarily of TCP-based protocols or applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.
3Throughput was measured using ASA CX Software Release 9.1.1 with multi-protocol traffic profile with both Application Visibility Control (AVC) and Web Security Essentials (WSE). Traffic logging was enabled as well.
4 Firewall traffic that does not go through IPS service can have higher throughput.
5 VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken into consideration as part of your capacity planning.
6 A/A = Active/Active; A/S = Active/Standby

Cisco ASA firewalls protect networks of all shapes and sizes, with consistent security across hybrid infrastructures — physical, virtual, and cloud. These solutions combine the most deployed firewall in the industry with a full complement of next-generation network security services. They protect corporate networks while providing employees with secure access to data — anytime, anywhere, using any device.

Read more about the Cisco ASA firewalls for large enterprises and data centers.

Cisco ASA Model ASA 5585-X with SSP10 ASA 5585-X with SSP20 ASA 5585-X with SSP40 ASA 5585-X with SSP60 ASA Services Module
Stateful Inspection throughput (max1) 4 Gbps 10 Gbps 20 Gbps 40 Gbps 20 Gbps
Stateful Inspection throughput (multiprotocol2) 2 Gbps 5 Gbps 10 Gbps 20 Gbps 16 Gbps
Next-Generation throughput3 (multiprotocol) 2 Gbps
(with ASA CX SSP-10)
5 Gbps
(with ASA CX SSP-20)
Not available Not available Not available
IPS throughput4 (multiprotocol) 2 Gbps
(with IPS SSP-10)
3 Gbps
(with IPS SSP-20)
5 Gbps
(with IPS SSP-40)
10 Gbps
(with IPS SSP-60)
Not available
Concurrent sessions 1,000,000 2,000,000 4,000,000 10,000,000 10,000,000
Connections per second 50,000 125,000 200,000 350,000 300,000
Packets per second (64 byte) 1,500,000 3,000,000 5,000,000 9,000,000 5,000,000
3DES/AES VPN throughput5 1 Gbps 2 Gbps 3 Gbps 5 Gbps 2 Gbps
Site-to-site and IPsec IKEv1 client VPN user sessions 5,000 10,000 10,000 10,000 10,000
AnyConnect or clientless VPN user sessions 5,000 10,000 10,000 10,000 10,000
Cisco Cloud Web Security users 7,500 7,500 7,500 7,500 7,500
Integtrated I/O 8-port 10/100/1000 and 2-port 10 GE (SFP+)6 8-port 10/100/1000 and 2-port 10 GE (SFP+)6 6-port 10/100/1000 and 4-port 10 GE (SFP+) 6-port 10/100/1000 and 4-port 10 GE (SFP+) Provided by the switch or router
Expansion I/O7 8-port 10 GE(SFP/SFP+) or
4-port 10 GE(SFP/SFP+) or
20-port 1 GE (12-port 1 GE SFP and 8-port 10/100/100)
Provided by the switch or router
Dual power supplies Yes Yes Yes Yes Yes. Provided by the switch or router
VLANs 1,024 1,024 1,024 1,024 1,000
High-availability support8 1,024 1,024 1,024 1,024 1,000
Power AC AC AC AC AC/DC provided by the switch or router

1 Maximum throughput with UDP traffic measured under ideal test conditions
2 Multiprotocol = Traffic profile consisting primarily of TCP-based protocols/applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.
3Throughput was measured using ASA CX Software Release 9.1.1 with multi-protocol traffic profile with both Application Visibility Control (AVC) and Web Security Essentials (WSE). Traffic logging was enabled as well.
4 Firewall traffic that does not go through IPS SSP module can have higher throughput.
5 VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken into consideration as part of your capacity planning.
6 Requires a separate license
7 Half-width modules
8 A/A = Active/Active; A/S = Active/Standby

Let Us Help

Share